Fix a heap overflow in CJBig2_Context::parseSymbolDict

BUG=476107
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1080893002

(cherry picked from commit eddab4425614e49146f904f00da4a664ba4b581b)

Review URL: https://codereview.chromium.org/1135133002

3 files changed, 7 insertions, 0 deletions

diff --git a/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h b/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h
index 214688d3b2..33bbe39d0d 100644
--- a/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h
+++ b/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h
@@ -72,6 +72,10 @@ inline void CJBig2_ArithDecoder::BYTEIN()
 }
 inline int CJBig2_ArithDecoder::DECODE(JBig2ArithCtx *pCX)
 {
+    if (!pCX || pCX->I >= JBIG2_QE_NUM) {
+        return 0;
+    }
+
     int D;
     const JBig2ArithQe * qe = &QeTable[pCX->I];
     A = A - qe->Qe;
diff --git a/core/src/fxcodec/jbig2/JBig2_ArithQe.h b/core/src/fxcodec/jbig2/JBig2_ArithQe.h
index 5405e425b0..8a723bead0 100644
--- a/core/src/fxcodec/jbig2/JBig2_ArithQe.h
+++ b/core/src/fxcodec/jbig2/JBig2_ArithQe.h
@@ -13,4 +13,5 @@ typedef struct {
     unsigned int nSwitch;
 } JBig2ArithQe;
 extern const JBig2ArithQe QeTable[];
+extern const unsigned int JBIG2_QE_NUM;
 #endif
diff --git a/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp b/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp
index 6179317890..53faab4a46 100644
--- a/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp
@@ -61,6 +61,8 @@ extern const JBig2ArithQe QeTable[] = {
     { 0x5601, 46, 46, 0 }
 };
 
+extern const unsigned int JBIG2_QE_NUM = sizeof(QeTable) / sizeof(JBig2ArithQe);
+
 CJBig2_Image *CJBig2_GRDProc::decode_Arith(CJBig2_ArithDecoder *pArithDecoder, JBig2ArithCtx *gbContext)
 {
     if (GBW == 0 || GBH == 0) {